Token based new digital cash protocols

ABSTRACT

Digital cash token protocols employ two pairs of private and public keys. Each public key is certified separately and the protocols do not use any blind signature schemes. As a result, the digital cash token protocols provide strong protection of user privacy by using two certified public keys instead of a blind signature. One pair of certified keys consists of one master user private key and one master user public key. A second pair of certified keys consists of one pseudonym user private key and one pseudonym user public key. The use of a master key pair and a pseudonym key pair circumvents the need for blind signatures. As a result, the proposed protocols do not require blind signatures and do not add additional overhead and security requirements necessitated by conventional blind signature schemes. The protocols use public key protocols and digital signatures and symmetric key protocols, which may be readily implemented in standard information security based systems based on cryptographic constructs. In addition, the protocols may be deployed in mobile, off-line, and on-line settings.

TECHNICAL FIELD

This invention relates to digital cash, and more specifically to digitalcash tokens using more than one user public key.

BACKGROUND

In the near future digital cash will come into wider use and it isexpected that people will use the Internet to make digital cash paymentsfor their purchases. Electronic transactions should be convenient,reliable, accurate, and resistant to fraud. Certain electronictransactions also should protect the privacy of payees. For example, acustomer purchasing a service from a vendor over a network should beable to pay for the service in an electronic transaction withoutrevealing their identity.

Some schemes using on-line banking may prevent double spending bychecking each coin against reuse during the time of payment on-linerather than detecting double spending afterwards. However, on-linebanking is obviously not suitable for micro-payments of the averageconsumer. Banks are too few compared with the vast number of small cashtransactions that would need to be processed if average consumertransactions were to be supported. Processing on-line requests for suchtransactions will result in banks becoming serious bottlenecks to handlethese transactions.

Blind signature systems that use off-line digital cash techniques havehigh system complexity. In some other conventional techniques, a coinhas a data size that is too big to be economically used since the coincontains a large number of challenge terms to detect cheating. Inaddition, some techniques also require using complex challenge-responseinteractions between the payer and payee for each coin spent. Again,such complex schemes are also not suitable for micro payments.

Some systems have implemented digital coins that are both secure (in thebank's interest) and afford a heightened assurance of consumer privacyby providing some anonymity to users with respect to both merchants andbanks. Informally, a digital cash scheme is referred to asunconditionally blind or anonymous if the bank that issues a coin isunable to determine, either at the time of withdrawal or later uponexamining circulating or deposited coins, which coin was withdrawn bywhich user. In a unconditionally blind scheme, the user can withdrawmoney from the bank, spend it at a merchant, and be confident that whenthe merchant deposits the money at the bank, the bank will not be ableto recognize the money as the same cash given to the user.

However, researchers have observed that unconditional anonymity inpayment systems might be exploited to facilitate crimes like blackmail.In addition, there is a fear that such schemes of unconditionalanonymity may be abused to perfect crimes of money laundering andkidnapping because this system can make the flow of cash completelyuntraceable. This observation has spurred research into the idea ofmaking anonymity in payment systems conditional, and, in particular,revocable by a third party. This notion is referred to as atrustee-based coin tracing.

One trustee-based tracing scheme is based on a blind Schnorr-likesignature scheme that involves use of interactive proofs betweentrustees and the bank. Another trustee-based tracing scheme is based onblind RSA signatures, but makes use of a cut-and-choose protocol thatresults in a scheme that is flexible. Although this scheme may besomewhat flexible, it has rather large coin sizes and computationalrequirements.

According to another scheme that makes use of a blind signature, a userrequests a pseudonym and registration information from a trustee. Theuser presents this registration information to the bank, andincorporates the information into the coins that are withdrawn.

Another scheme makes use of blind DSS signatures. In this scheme,signing and anonymity revocation may be conducted by differing quorumsof trustees. However, the scheme is implemented on-line only and israther computationally intensive for most operations.

A slightly different approach to trustee-based tracing is a system basedon blind Schnorr signatures in which a user transfers funds from anon-anonymous to an anonymous account where a trustee is capable oflinking the two accounts. The chief disadvantage of this approach isthat once the two accounts are linked, anonymity is eliminated.

Another approach is based on blind Schnorr signatures in which thetrustee is off-line. This system is complex and involves well over adozen modular exponentiations by the user at each coin withdrawal. Laterdevelopments have reduced the computational required in the withdrawalprotocol, as well as the database search requirements in owner tracing.However, the withdrawal protocol still requires over a dozen modularexponentiations on the part of the user.

The use of blinding alone that protects the anonymity of the customer isnot sufficient to safeguard against certain types of fraud. For example,a customer can submit a blinded nonce (a nonce is a piece of data that,for practical purposes, is used only once, for example, a random number)to the certification authority along with $20, receive the blindedcertificate, un-blind it, and then submit the un-blinded certificate asbeing worth $100. This is possible because the certification authoritynever really sees the actual certificate it is signing because of theblinding factor. Thus, although blinding alone protects privacy, it doesnot by itself provide adequate reliability against fraud and misuse.

Another problem of blind signature it is a homomorphism, i.e.,Sign(kx)=Sign(k)Sign(x). It is possible to create pairs r, Sign(r) for arandom message r. More precisely, anyone can choose Sign(r) at randomand then compute r as the function Sign−1 which is known publicly. Thebasic idea is as follows. Customer C chooses a message x which is goingto be the coin. C also generates a pair, k and Sign(k), for a randomnumber k. C sends the product kx to a bank B which computes Sign(kx). Bthen sends Sign(kx) to C, using, for instance, a public encryptionscheme provided by C (using some session key Exchanged between C and Busing a Diffie-Hellman session) or some other form of communication(e.g., delivery on a diskette transported by an armored carrier). C maythen compute Sign(x) by dividing Sign (kx) by Sign (k). The pair (x,Sign(x)) is now redeemable by B at a value usually determined by thesignature being used, and B cannot recognize C when some payee Ppresents (x, Sign(x)) (since the knowledge of kx does not allowpractical recognition of x nor of Sign(x)).

A problem with this approach is that a signature scheme with suchproperties is not secure. This scheme provides that (1) it is easy toforge signatures on random messages, and (2) after seeing the signatureson two messages x1 and x2, it is easy to compute the signature on themessage x=x1x2. In order to overcome this problem, valid messages arerequired to have a special “structure” (e.g., the message x must beencoded using the PKCS#1 standard for digital signature). The hope isthat messages with this structure are sparse and hard to forge evengiven properties (1) and (2) (since messages with that structure willnot appear with a significant probability). However, this is simply ahope and is not a proven mathematical property of the signature schemeor of the encoding. The drawback is that it may be possible to discoveran algorithm to forge messages even when we restrict them to thisstructured sparse set.

Schemes that use virtual accounts have several problems. For example,some virtual accounts do not provide adequate privacy of the user, whileothers are complex requiring a blind signature to protect the privacy ofthe user. Still other embodiments have the bank storing encryptedpseudonym corresponding to the user identification which makes linkingidentity to the pseudonym easy either by cooperation or leakage of thesecret key of the issuer. Accordingly, the privacy of all users can becatastrophically destroyed. In addition, there is a problem of provingthe ownership of the user identity between the user and the bank.

SUMMARY

In one general aspect, a system for implementing a digital cash tokenprotocol comprises: a user having two pairs of user keys, one pairlinked to the real identity of the user, and a second pair linked to thepseudonym identity of the user, a bank to receive a request for anamount of digital cash from the user and generate a request for adigital cash token corresponding to the requested amount; and an issuerof digital cash to issue the digital cash token in response to therequest from the bank, where the first pair of keys is used toauthenticate the user with the bank and to encrypt information sent tothe user from the bank and the second pair of keys is used toauthenticate the user with the issuer of digital cash and to encryptinformation sent to the user from the issuer of digital cash. The firstpair may include a master public key and a master secret key and thesecond pair includes a pseudonym public key and a pseudonym secret key.No link is provided between the master public key and the pseudonympublic key to determine the real identity of a user associated with apseudonym. No link is provided between the master public key and theissued digital cash token, and the master public key is not used forpayments in order to maintain user privacy.

The system also may include a certificate authority to certify thepseudonym public key of a user given the master public key of the userand a user identification. Each public key is certified by thecertificate authority using a separate certificate. The user maytransfer the issued digital cash token to another user that has acertified pseudonym public key. The certificate authority stores thepseudonym public key in correspondence to a user id or the master publickey and issues a license for the pseudonym public key in response to arequest which is signed by the master private key of the user. Thecertificate authority reveals the identity of the owner of a pseudonympublic key if there is any misuse of digital cash token.

The master keys may be used to generate digital signatures forauthentication with the certificate authority and the bank. Thepseudonym keys may be used to generate digital signatures forauthentication with the issuer of digital cash. The issuer of digitalcash tokens issues a digital cash license to the user and storesinformation related to the issued digital cash token. The storedinformation related to the issued digital token may include a randomnumber.

In another general aspect, a digital cash issuing system for a user hastwo pairs of user keys, one pair linked to a real identity of the user,and a second pair linked to a pseudonym identity of the user. The systemcomprises: an input to receive to receive a request from a user for adigital cash license, to receive a request from a bank for a digitalcash token, and to receive the digital cash token and a challenge as arequest for payment from a shop; a processor to process the user requestand issue the digital cash license for a pseudonym of the user; togenerate and issue the digital cash token in response to the bankrequest; to process a request form payment from a shop including thereceived digital cash token and challenge and issue a payment to theshop in response to the shop request; and an output to send the digitalcash license to the user, the digital cash token to the bank, thepayment to the shop, where the second pair of keys is used toauthenticate the user with the digital cash system and to encryptinformation sent to the user from the digital cash system. The firstpair may include a master public key and a master secret key and thesecond pair includes a pseudonym public key and a pseudonym secret key.No link is provided between the master public key and the pseudonympublic key to determine the real identity of a user associated with apseudonym. No link is provided between the master public key and theissued digital cash token, and the master public key is not used forpayments in order to maintain user privacy.

Each public key may be certified by a certificate authority using aseparate certificate. The user may transfer the issued digital cashtoken to another user that has a certified pseudonym public key.Pseudonym keys are used to generate digital signatures forauthentication with the digital cash system. The processor may send arequest to a certificate authority to reveal the identity of the ownerof a pseudonym public key if there is any misuse of the digital cashtoken.

The processor is configured to generate the digital cash token bydetermining an amount of digital cash and a random number which aresigned with a secret key of the digital cash system and storing therandom number. The processor also is configured to processes the requestfor payment by verifying the user pseudonym secret key and determine ifthe random number of the digital cash token is stored.

In yet another general aspect, a method for implementing a digital cashprotocol for a user having two pairs of user keys, one pair linked tothe real identity of the user including a master public key (mPKU) and amaster secret key (mSKU), and a second pair linked to the pseudonymidentity of the user including a pseudonym public key (PPKU) and apseudonym secret key (pSKU), in a system including a certificateauthority, a bank of the user, an issuer of digital cash tokens, and ashop, the method comprises: registering a user with the certificateauthority to store the pPKU in connection with a user id (UID) and themPKU; issuing a license for the pPKU in response to a request from theuser for digital currency which is signed by the mPKU; generating alicense by the issuer of digital cash tokens for the pPKU of aregistered user; sending a request for an amount of digital cash to thebank from the user including the pPKU; sending a request for a digitalcash token in the requested amount from the bank to the digital cashtokens issuer; issuing the digital cash token in response to a requestfrom the bank; and providing the digital cash token to the user for useas digital currency, where the digital cash token includes the amountand a random number stored by the digital cash token issuer.

The method may further include providing no link between the mPKU andthe pPKU to determine the real identity of a user associated with apseudonym.

The method may further include providing no link between the mPKU andthe issued digital cash token, and the mPKU is not used for payments inorder to maintain user privacy.

The method may further include certifying each public key by acertificate authority using a separate certificate.

The method may further include transferring the issued digital cashtoken from the user to another user that has a certified pseudonympublic key.

The method may further include generating digital signatures forauthentication with the digital cash system using the pseudonym keys.

The method may further include revealing the identity of the userassociated with the pPKU if there is any misuse of the digital cashtoken.

The method may further include: providing the digital cash token anddigital token issuer license from the user to a shop as a request forpayment of an amount; challenging the request for payment from the user;signing the challenge by the user with the pSKU; sending the digitaltoken and the signed challenge to the digital cash token for payment ofthe amount; verifying the request; and paying the amount, whereinverifying the request for payment includes verifying the pSKU anddetermining if the random number of the digital cash token is stored.

Other features will be apparent from the description, the drawings, andthe claims.

DESCRIPTION OF DRAWINGS

FIG. 1 shows an exemplary system network diagram for implementing thedigital cash token protocol.

FIG. 2 is an exemplary user registration protocol according to the firstembodiment.

FIG. 3 is an exemplary user registration process part 1 according to thefirst embodiment.

FIG. 4 is an exemplary user registration process part 2 according to thefirst embodiment.

FIG. 5 is an exemplary withdrawal protocol according to the firstembodiment.

FIG. 6 is an exemplary withdrawal process part 1 according to the firstembodiment.

FIG. 7 is an exemplary withdrawal process part 2 according to the firstembodiment.

FIG. 8 is an exemplary withdrawal process part 3 according to the firstembodiment.

FIG. 9 is an exemplary payment protocol according to the firstembodiment.

FIG. 10 is and exemplary payment process part 1 according to the firstembodiment.

FIG. 11 is an exemplary payment process part 2 according to the firstembodiment.

FIG. 12 is an exemplary payment process part 3 according to the firstembodiment.

FIG. 13 is an exemplary withdrawal protocol according to the secondembodiment.

FIG. 14 is an exemplary withdrawal process part 1 according to thesecond embodiment.

FIG. 15 is an exemplary withdrawal process part 2 according to thesecond embodiment.

FIG. 16 is an exemplary withdrawal process part 3 according to thesecond embodiment.

FIG. 17 is an exemplary withdrawal protocol according to the thirdembodiment.

FIG. 18 is an exemplary withdrawal process part 1 according to the thirdembodiment.

FIG. 19 is an exemplary withdrawal process part 2 according to the thirdembodiment.

FIG. 20 is an exemplary withdrawal process part 3 according to the thirdembodiment.

FIG. 21 is an exemplary withdrawal process part 4 according to the thirdembodiment.

FIG. 22 is an exemplary withdrawal process part 5 according to the thirdembodiment.

FIG. 23 is an exemplary payment protocol according to the thirdembodiment.

FIG. 24 is an exemplary payment process part 1 according to the thirdembodiment.

FIG. 25 is an exemplary payment process part 2 according to the thirdembodiment.

FIG. 26 is an exemplary payment process part 3 according to the thirdembodiment.

FIG. 27 is an exemplary payment process part 4 according to the thirdembodiment.

FIG. 28 is an exemplary user registration protocol according to thefourth embodiment.

FIG. 29 is an exemplary user registration process part 1 according tothe fourth embodiment.

FIG. 30 is an exemplary user registration process part 2 according tothe fourth embodiment.

FIG. 31 is an exemplary withdrawal protocol according to the fourthembodiment.

FIG. 32 is an exemplary withdrawal process part 1 according to thefourth embodiment.

FIG. 33 is an exemplary withdrawal process part 2 according to thefourth embodiment.

FIG. 34 is an exemplary withdrawal process part 3 according to thefourth embodiment.

FIG. 35 is an exemplary withdrawal protocol according to the fifthembodiment.

FIG. 36 is an exemplary withdrawal process part 1 according to the fifthembodiment.

FIG. 37 is an exemplary withdrawal process part 2 according to the fifthembodiment.

FIG. 38 is an exemplary withdrawal process part 3 according to the fifthembodiment.

FIG. 39 is an exemplary withdrawal protocol according to the sixthembodiment.

FIG. 40 is an exemplary withdrawal process part 1 according to the sixthembodiment.

FIG. 41 is an exemplary withdrawal process part 2 according to the sixthembodiment.

FIG. 42 is an exemplary withdrawal process part 3 according to the sixthembodiment.

FIG. 43 is an exemplary withdrawal process part 4 according to the sixthembodiment.

FIG. 44 is an exemplary withdrawal process part 5 according to the sixthembodiment.

FIG. 45 is an exemplary payment protocol according to the seventh andeighth embodiment.

FIG. 46 is an exemplary payment process part 1 according to the seventhand eighth embodiment.

FIG. 47 is an exemplary payment process part 2 according to the seventhand eighth embodiment.

FIG. 48 is an exemplary payment process part 3 according to the seventhand eighth embodiment.

FIG. 49 is an exemplary payment process part 4 according to the seventhand eighth embodiment.

FIG. 50 is an exemplary payment protocol according to the ninthembodiment.

FIG. 51 is an exemplary payment process part 1 according to the ninthembodiment.

FIG. 52 is an exemplary payment process part 2 according to the ninthembodiment.

FIG. 53 is an exemplary payment process part 3 according to the ninthembodiment.

FIG. 54 is an exemplary payment process part 4 according to the ninthembodiment.

FIG. 55 is an exemplary payment process part 5 according to the ninthembodiment.

FIG. 56 is an exemplary withdrawal protocol according to the tenthembodiment.

FIG. 57 is an exemplary withdrawal process part 1 according to the tenthembodiment.

FIG. 58 is an exemplary withdrawal process part 2 according to the tenthembodiment.

FIG. 59 is an exemplary withdrawal process part 3 according to the tenthembodiment.

FIG. 60 is an exemplary payment protocol according to the tenthembodiment.

FIG. 61 is an exemplary payment process part 1 according to the tenthembodiment.

FIG. 62 is an exemplary payment process part 2 according to the tenthembodiment.

FIG. 63 is an exemplary payment process part 3 according to the tenthembodiment.

FIG. 64 is an exemplary payment process part 4 according to the tenthembodiment.

Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION

Overview

Digital cash token protocols described below employ two pairs of privateand public keys. Each public key is certified separately and theprotocols do not use any blind signature schemes. As a result, thedigital cash token protocols described herein provide strong protectionof the user privacy by using two certified public keys instead of ablind signature.

One pair of certified keys consists of one master user private key andone master user public key. A second pair of certified keys consists ofone pseudonym user private key and one pseudonym user public key. Theuse of a master key pair and a pseudonym key pair circumvents the needfor blind signatures. As a result, the proposed protocols do not requireblind signatures. Therefore, the protocols herein do not add additionaloverhead and security requirements necessitated by conventional blindsignature schemes. The protocols use public key protocols, digitalsignatures and symmetric key protocols, which may be readily implementedin standard information security based systems based on cryptographicconstructs. In addition, the protocols may be deployed in off-line andon-line setting.

The protocols described utilize the following entities: (i) acertificate authority, (ii) a user's bank, (iii) an issuer of digitalcash, and (iv) a shop and (v) the shop's bank.

The certificate authority has storage to store a pseudonym public key incorrespondence to a user id and/or master public key, issues a licensefor the pseudonym public key in response to a request which is signed bythe master private key of the user. The certificate authority revealsthe identity of the owner of a pseudonym public key if there is anymisuse of digital cash tokens or fraud.

The user's bank holds the user's account with his ID, and the certifieduser's maser public key which is used to authenticate a user.

The issuer of digital cash tokens has a storage space for eachregistered user which is known under one or more pseudonyms, issuesdigital cash tokens in response to a request from the user, and storesinformation related to the issued digital cash tokens. The type ofstored information about a digital cash tokens differs depending onwhether traceable or untraceable digital cash tokens are being issued.

As shown in FIG. 1, a system for implementing the protocols includes anumber of entities (e.g., a user, a certificate authority, a digitalcash issuer, a user bank, a shop bank, and a shop).

Each of these entities may send and receive data via any number ofcommunications paths. Each entity may include one or more processingdevices, such as, for example, a general or special-purpose computer,such as a processor, a microprocessor, a microcomputer, a personalcomputer (“PC”), a workstation, a mainframe, a server, a laptop, amobile communications device/phone, a personal digital assistant(“PDA”), an on-board (i.e., vehicle-mounted) computer, or a combinationof two or more of these devices capable of responding to, generating,and/or executing instructions in a defined manner. The processing devicemay include or be associated with any number of other devices,components, and/or peripherals, such as additional computing devices,memory/storage devices, input devices, output devices, user interfaces,and/or communications interfaces.

Each entity also may include one or more software applicationsincluding, for example, encryption decryption software, signaturegenerating software, key generating software, random number generatingsoftware, signature verification software, in addition to other systemand operating system software loaded to command and direct theprocessing device. Software applications may be implemented as acomputer program, a piece of code, an instruction, or some combinationthereof, for independently or collectively instructing the processingdevice to interact and operate as desired.

The applications may be embodied permanently or temporarily in any typeof machine, component, physical or virtual equipment, storage medium, orpropagated signal wave capable of providing instructions to theprocessing device. In particular, the applications may be stored on astorage medium or device including volatile and non-volatile (e.g., aread only memory (ROM), a random access memory (RAM), a flash memory, afloppy disk, a hard disk, a tape, a DROM, a filp-flop, a register, anSRAM, DRAM, PROM, EPROM, OPTROM, EEPROM, NOVRAM, or RAMBUS), such thatif the storage medium or device is read by the processing device, thespecified steps, processes, and/or instructions are performed.

The processing device also may include one or more communicationsinterfaces that allow the processing device to send and receiveinformation using the communications paths. The communications paths maybe configured to send and receive signals (e.g., electrical,electromagnetic, or optical) that convey or carry data streamsrepresenting various types of analog and/or digital data. For example,the communications paths may be implemented using various communicationsmedia and one or more networks comprising one or more network devices(e.g., servers, routers, switches, hubs, repeaters, and storagedevices). The one or more networks may include a local area network(LAN), a wide area network (WAN), a plain old telephone service (POTS)network, a digital subscriber line (DSL) network, an integrated servicesdigital network (ISDN), a synchronous optical network (SONNET), or acombination of two or more of these networks. In addition, thecommunications paths may include one or more wireless links (e.g.,cellular, mobile, GSM, CDMA, TDMA, and satellite) that transmit andreceive electromagnetic signals, such as, for example, radio, infrared,and microwave signals, to convey information. Because the communicationspaths may cover any number of networks and media, generally, they areconsidered unsecured.

The user may be any entity (person, group, business, government and/ororganization) that requires the issuance of digital cash for use apayment to a shop. The certificate authority comprises a storage device,a signature verifying program, an encryption program, a decryptionprogram, and a signature generating program. The user may include aprocessing device, a storage device, an encryption program, a decryptionprogram, a signature verifying program and a key generating program anda signature generating program.

The digital cash issuer provides digital currency or digital cash tokensfor use by the user as payment to a shop. The issuer may include aprocessing device, a storage device, an encryption program, a decryptionprogram, a signature generating program, a signature verifying program,and a random number generating program.

The user's bank may include a processing device, a storage device, asignature verifying program encryption program, a decryption program,and a signature generating program.

The shop may include a processing device, a storage device, a signatureverifying program encryption program, a decryption program, a signaturegenerating program, a random number generating program and a timegenerating program.

Each of the exemplary embodiments for traceable tokens, described indetail below include at least three primary procedures: a userregistration procedure; a withdrawal procedure (e.g., an electronic cashissuing procedure); and a payment procedure. The non-traceableembodiment includes two primary procedures: a withdrawal procedure, anda payment procedure.

In the following description, PKy denotes the public key of the entityy, Sky denotes the private key of the entity y, mPKy and mSKy denotesthe master public and private key of entity y respectively, pPKy andpSKy denotes the pseudonym public and private key of entity yrespectively, PKy(.) indicates that the quantity between parenthesis isencrypted using the public key of entity y, Sky(.) indicates that thequantity between parenthesis is encrypted using the private key ofentity y, and [.]_(SKy) indicates that the quantity between squarebrackets is signed by the private key of entity y. The user public keyPKC is known to all entities. The master public key mPKU is known to allentities. The issuer public key PKI is known to all entities. The bank'spublic key PKB are known to all entities. The shop public key PKS isknown to all entities.

First Embodiment

(1) User Registration Procedure

FIGS. 2, 3, and 4 show the diagrammatic representation of theregistration protocol. Referring to FIG. 3, the user key generatingprogram generates a pseudonym public key and a pseudonym secret key. Thesignature generating program then signs the pseudonym public key and theuser real identification using the user's master secret key. Theencryption program encrypts [UID,pPKU]_(mSKU) using the public key ofthe certificate authority and sends PKC([UID,pPKU]_(mSKU)) to thecertificate authority via a communications path as a request for acertified pseudonym public key (i.e., a request for the issuance of alicense).

The certificate authority receives the request (PKC([UID,pPKU]_(mSKU)))and the decryption program decrypts request using the secret key SKC ofthe certificate authority. The signature verifying program verifies thevalidity of the user signature using the user's master public key mPKU.If the signature is valid, the certificate authority signaturegenerating program generates a signature (license) [pPKU]_(SKC) for theuser's pseudonym public key using the certificate authority's secret keySKC, and stores the user's pseudonym public key in the storage device inconnection with the user's master public key mPKU and the user's realidentification UID. The certificate authority encryption programencrypts the license [pPKU]_(SKC) using the user's master public keymPKU and sends the license mPKU([pPKU]_(SKC)) to the user via acommunications path.

The user receives the encrypted license mPKU([pPKU]_(SKC)) and thedecryption program decrypts the license using the user's master secretkey mSKU. The signature verifying program verifies the validity of thelicense [pPKU]_(SKC) using the public key PKC of the certificateauthority. If the license is valid, the license is stored in the storagedevice.

Referring to FIG. 4, the user encryption program encrypts the license[pPKU]_(SKC), pseudonym public key pPKU using the public key PKI of thedigital cash issuer and sends the encrypted licensePKI([pPKU]_(SKC),pPKU) to the digital cash issuer via a communicationspath as a request for registration in the digital cash issuer and forthe digital cash issuer license.

The digital cash issuer receives the request PKI([pPKU]_(SKC),pPKU) andthe decryption program decrypts the information using the secret key SKIof the digital cash issuer. The digital cash issuer searches for pPKU inits storage to prevent the use of another user's pseudonym public key.If the user's pseudonym public key pPKU is not registered, the digitalcash issuer signature verifying program verifies the validity of thelicense [pPKU]_(SKC) the using the certificate authority's public keyPKC. If the license is valid, the digital cash issuer assigns a storagespace to the user and stores the user's pseudonym public key pPKU. Thedigital cash issuer signature generating program signs the user'spseudonym public key pPKU the using the secret key of the digital cashissuer SKI. The encryption program encrypts the information using theuser's pseudonym public key pPKU and sends pPKU([pPKU]_(SKI)) as alicense to the user via a communications path.

The user receives pPKU([pPKU]_(SKI)), and the decryption programdecrypts the license using the user's pseudonym secret key pSKU. Thesignature verifying program verifies the validity of the digital cashissuer signature using the digital cash issuer's public key PKI. If thesignature is valid, the license [pPKU]_(SKI) is stored in the storagedevice. The user may obtain additional certified pseudonym public keyswithout a limit.

(2) Withdrawal Procedure (i.e., the Electronic Cash Issuing Procedure)

FIGS. 5-8 show a diagrammatic representation of the withdrawal protocol.Referring to FIGS. 5 and 6, the user signature generating program signsthe user's pseudonym public key pPKU and the amount of digital cash xusing the user's pseudonym secret key pSKU. The encryption programencrypts the signed user's pseudonym public key and the amount ofdigital cash [pPKU,x]_(pSKU) using the digital cash issuer's public keyPKI. The signature generating program signs the user real identificationUID, the amount of money to be withdrawn x, the encrypted signed user'spseudonym public key, and the amount of digital cashPKI([pPKU,x]_(pSKU)) using the user's master secret key mSKU. Theencryption program encrypts the information using the public key of thebank PKB and sends PKB([PKI([pPKU,x]_(pSKU)),UID,x]_(mSKU)) to theuser's bank via a communications path.

The bank decryption program decryptsPKB([PKI([pPKU,x]_(pSKU)),UID,x]_(mSKU)) using the bank's secret key SKBand the signature verifying program verifies the validity of thesignature for authentication with the master public key of the usermPKU. If the signature is valid, the amount of money x is withdrawn fromthe user account. The signature generating program signs the encryptedsigned user's pseudonym public key, the amount of digital cashPKI([pPKU,x]_(pSKU), and the withdrawn amount of money x using thebank's secret key SKB. The encryption program encrypts the informationusing the public key of the digital cash issuer PKI and sends theinformation PKI([PKI([pPKU,x]_(pSKU)),x]_(SKB)) to the digital cashissuer via a communications path.

Referring to FIG. 7, the digital cash issuer receives the informationPKI([PKI([pPKU,x]_(pSKU)),x]_(SKB)), and the decryption program decryptsthe information using the digital cash issuer's secret key SKI. Thesignature verifying program verifies the signature of the bank using thepublic key of the user's bank PKB. If the signature is valid, thedigital cash issuer decryption program decrypts PKI([pPKU,x]_(pSKU))using the digital cash issuer's secret key. The signature verifyingprogram verifies the signature of the user using the user's pseudonympublic key pPKU to authenticate the user. If the signature is valid, theissuer verifies the equality of the two amounts x. The amounts are notequal, the real identity of the user is revealed by sending pPKU to thecertificate authority. If the amounts are equal, the digital cash issuerissues a digital cash token that includes the following information: (i)digital cash amount, and (ii) random number. The digital cash issuergenerates a random number Rd and stores the random number in the storagedevice. The signature generating program signs the digital cash amount xand random number Rd using the digital cash issuer's secret key SKI. Theencryption program encrypts the digital cash token using the user'spseudonym public key pPKU. The signature generating program signs theencrypted digital cash token pPKU([x,Rd]SKI) using the digital cashissuer's secret key SKI. The encryption program encrypts the information[pPKU([x,Rd]SKI)]SKI using the public key of the bank PKB, and sendsencrypted information PKB([pPKU([x,Rd]SKI)]SKI) to the user's bank via acommunications path.

Referring to FIG. 8, the user's bank receives the informationPKB([pPKU([x,Rd]SKI)]SKI) and the decryption program decrypts theinformation using the user's bank secret key SKB. The signatureverifying program verifies the digital cash issuer signature using thepublic key of the digital cash issuer PKI. If the signature is valid,the encrypted digital cash token pPKU([x,Rd]SKI) is sent to the user viaa communications path.

The user receives the encrypted digital cash token pPKU([x,Rd]SKI). Thedecryption program decrypts the digital cash token using the user'spseudonym secret key. The signature verifying program verifies thevalidity of the digital cash issuer signature using the digital cashissuer's public key PKI. If the signature is valid, the digital cashtoken [x,Rd]SKI is stored in the storage device of the user. The usercan easily transfer the issued digital cash token to another user whohas a certified pseudonym public key.

(3) Payment Procedure

FIGS. 9-12 show the diagrammatic representation of the payment protocol.Referring to FIGS. 9 and 10, the user encryption program encrypts thedigital cash token [x,Rd]SKI and the digital cash issuer license[pPKU]SKI using the public key of the shop PKS, and sends the encryptedinformation to the shop as request for payment. The user can send apayment request using another certified pseudonym public key, becausethe pseudonym is not associated with digital cash token. As a result,the pseudonym may be changed at the time of payment thereby increasinguser flexibility.

The shop decryption program decrypts the encrypted digital cash tokenand the digital cash issuer license PKS([x,Rd]SKI, [pPKU]SKI) using theshop's secret key SKS. The signature verifying program verifies thesignature of the issuer using the digital cash issuer public key PKI. Ifthe signatures are valid, the shop stores the user's digital cash issuerlicense and the digital cash token. The random number generating programgenerates a random number Rs, and the time generating program generatesa time Ts. The encryption program encrypts Rs, Ts, and the shopidentification SID using the user's pseudonym public key pPKU, and sendsthe encrypted information pPKU(Rs,Ts,SID) to the user via acommunications path.

The user receives the encrypted information pPKU(Rs,Ts,SID). Thedecryption program decrypts the information using the user's pseudonymsecret key pSKU. The signature generating program signs the randomnumber Rs, the time Ts, and the shop identification SID using the user'spseudonym secret key pSKU. The encryption program encrypts theinformation using the public key of the shop PKS, and sends theencrypted information PKS([Rs,Ts,SID]pSKU) to the shop via acommunications path.

The shop receives the information PKS([Rs,Ts,SID]pSKU), and thedecryption program decrypts the information using the shop's secret keySKS. The signature verifying program verifies the signature using theuser's pseudonym public key pPKU. If the signature is valid, the shopstores the challenge and regards the payment as valid.

Referring to FIG. 11, after a period of time, the shop encryptionprogram encrypts the information including the challenge that was signedby the user [Rs,Ts,SID]pSKU, the digital cash token [x,Rd]SKI, and theuser's digital cash issuer license [pPKU]SKI, using the public key ofthe digital cash issuer PKI, and sends the information to the digitalcash issuer via a communications path.

The digital cash issuer decryption program decrypts PKI([Rs,Ts,SID]pSKU,[x,Rd]SKI, [pPKU]SKI) using the digital cash issuer's secret key SKI.The signature verifying program verifies the signatures using thedigital cash issuer's public key PKI and the user's pseudonym public keypPKU. If the signatures are valid, the issuer checks the random numberRd. If the random number Rd does not exist, it is determined that thereis a double spending, and the real identity is revealed by sending theuser's pseudonym public key pPKU to the certificate authority. If Rdexists, the random number is deleted, and the digital cash issuer storesthe challenge [Rs,Ts,SID]pSKU in the storage device.

Referring to FIG. 12, the digital cash issuer signature generatingprogram signs the shop identification SID and the amount x to bedeposited for the shop with the digital cash issuer's secret key SKI.The encryption program encrypts the information using the public key ofthe shop's bank PKB, and sends the information PKB([SID,x]SKI) to theshop's bank via a communications path.

The shop's bank receives PKB([SID,x]_(SKI)) and the decryption programdecrypts the information using the secret key SKB. The signatureverifying program verifies the signature with the public key of theissuer PKI. If the signature is valid, the shop's bank adds the amountof money x to the shop's account.

Second Embodiment

In another example, against that because issued public keys may bepassed outside of the issuer's control, a more powerful encryption maybe used to protect against any public key leakage and misuse. Acryptographic coprocessor is used such that once data is encrypted, thedata may not be decrypted without use of the coprocessor. In thisexample, the certification authority, use, and bank entities are asdescribed above, however, the certificate issuer also is provided with acryptographic coprocessor.

(1) User Registration Procedure

The user registration procedure for this example is the same asdescribed above for FIGS. 2-4.

(2) Withdrawal Procedure (i.e., Electronic Cash Issuing Procedure)

FIGS. 13-16 show the diagrammatic representation of a withdrawalprotocol. Referring to FIGS. 13 and 14, the user signature generatingprogram signs the user's pseudonym public key pPKU and the amount ofdigital cash x using the user's pseudonym secret key pSKU. Theencryption program encrypts the signed user's pseudonym public key andthe amount of digital cash [pPKU,x]_(pSKU) using the public key of acryptographic coprocessor PKP. The signature generating program signsthe user real identification UID, the amount of money to be withdrawn x,and PKP([pPKU,x]_(pSKU)) using the user's master secret key mSKU. Theencryption program encrypts the information using the public key of theuser's bank PKB and sends the informationPKB([PKP([pPKU,x]_(pSKU)),UID,x]_(mSKU)) to the user's bank via acommunications path.

The user's bank decryption program decrypts the informationPKB([PKP([pPKU,x]_(pSKU)),UID,x]_(mSKU)) using the bank's secret key.The signature verifying program verifies the validity of the signaturefor authentication with the master public key of the user mPKU. If thesignature is valid, the amount of money x is withdrawn from the useraccount. The signature generating program signs the amount x that iswithdrawn from the user account using the user's bank's secret key SKBand the encryption program encrypts [x]_(SKB) using the public key ofthe cryptographic coprocessor PKP. The information PKP([pPKU,x]_(pSKU))and PKP([x]_(SKB)) is sent to the digital cash issuer via acommunications path.

Referring to FIG. 15, the digital cash issuer receivesPKP([pPKU,x]_(pSKU)) and PKP([x]_(SKB)), and decrypts the informationusing the secret key of the cryptographic coprocessor to obtain thesigned user's pseudonym public key, the amount of digital cash[pPKU,x]_(pSKU) and the signed amount of withdrawn money from the useraccount [X]_(SKB). The signature verifying program verifies thesignature of the bank using the public key of the bank PKB. If thesignature is valid, the digital cash issuer signature verifying programverifies the user's signature [pPKU,x]_(pSKU) using the user's pseudonympublic key pPKU. If the user's signature is valid, the issuer verifiesthat the two amounts x are equal. If the amounts are not equal, the realidentity of the user is revealed by sending pPKU to the certificateauthority. If the amounts are equal, the digital cash issuer issues adigital cash token which includes the information: (i) digital cashamount, and (ii) random number. The digital cash issuer generates arandom number Rd and stores it in the storage device. The signaturegenerating program signs digital cash amount x and random number Rdusing the digital cash issuer's secret key SKI. The encryption programencrypts the information using user's pseudonym public key pPKU, and thesignature generating program signs the encrypted informationpPKU([x,Rd]SKI) using the digital cash issuer's secret key SKI. Theencryption program encrypts [pPKU([x,Rd]SKI)]SKI using the public key ofthe bank PKB, and sends the information PKB([pPKU([x,Rd]SKI)]SKI) to theuser's bank via a communications path.

Referring to FIG. 16, the user's bank receives the informationPKB([pPKU([x,Rd]SKI)]SKI), and the decryption program decrypts theinformation using the user's bank secret key SKB. The signatureverifying program verifies the digital cash issuer signature using thepublic key of the digital cash issuer PKI. If the signature is valid,the bank sends the encrypted digital cash token pPKU([x,Rd]SKI) to theuser via a communications path.

The user receives the encrypted digital cash token pPKU([x,Rd]SKI), andthe decryption program decrypts the information using the user'spseudonym secret key pSKU. The signature verifying program verifies thevalidity of the digital cash issuer signature with the digital cashissuer's public key PKI. If the signature is valid, the digital cashtoken [x,Rd]SKI is stored in the storage device of the user. Using thisembodiment, the user can easily transfer the issued digital cash tokento another user who has a certified pseudonym public key.

(3) Payment Procedure

The payment procedure is the same as that described above for FIGS.9-12.

Third Embodiment

In the previous embodiments, the withdrawal process and the paymentprocess are performed from fixed positions, which require the user toaccess user station to buy or to get digital cash. For more convenienceand accessibility, the following example allows a user to use a mobiledevice to buy and to get digital cash. The user mobile device in thisimplementation includes a processing device, a storage device, anencryption program, and a decryption program. However, because thestorage and the computational power of most conventional mobile devicesare limited, the mobile device implementation may provide only a minimumrequirement to protect the security and privacy.

(1) User Registration Procedure

The user registration procedure for this example is the same asdescribed above for FIGS. 2, 3, and 4.

(2) Withdrawal Procedure (Electronic Cash Issuing Procedure)

FIGS. 17-22 show a diagrammatic representation of the withdrawalprotocol. Referring to FIGS. 17 and 18, the user's mobile deviceencryption program encrypts the user's pseudonym public key pPKU and theamount of digital cash x using a mobile-home based shared secret keyMHS. The mobile device sends the information MHS(pPKU,x) to the user'sstation via a communications path.

The user's station receives the encrypted user's pseudonym public keyand the amount of digital cash MHS(pPKU,x) and the decryption programdecrypts the information using the mobile/home shared secret key MHS.The home base station determines if the decrypted pseudonym public keymatches the user's pseudonym public key. If they are the same, theuser's mobile device is authenticated by the user's home station.

Referring to FIG. 19, the user's home station signature generatingprogram signs the user's pseudonym public key pPKU and the amount ofdigital cash x using the user's pseudonym secret key pSKU. Theencryption program encrypts the signed user's pseudonym public key andthe amount of digital cash [pPKU,x]_(pSKU) using the public key of acryptographic coprocessor PKP. The signature generating program signsthe user real identification UID, the amount of money to be withdrawn x,and PKP([pPKU,x]_(pSKU)) using the user's master secret key mSKU. Theencryption program encrypts the information using the public key of theuser's bank PKB and sends PKB([PKP([pPKU,x]_(pSKU)),UID,x]_(mSKU)) tothe user's bank via a communications path.

The user's bank decryption program decryptsPKB([PKP([pPKU,x]_(pSKU)),UID,x]_(mSKU)) using the user's bank's secretkey. The signature verifying program verifies the validity of thesignature for authentication with the master public key of the usermPKU. If the signature is valid, the amount of money x is withdrawn fromthe user account. The signature generating program signs the amount xthat is withdrawn from the user account using the user's bank's secretkey SKB. The encryption program encrypts [x]_(SKB) using the public keyof the cryptographic coprocessor PKP, and sends informationPKP([pPKU,x]_(pSKU)) and PKP([x]_(SKB)) to the digital cash issuer via acommunications path.

Referring to FIG. 20, the digital cash issuer receivesPKP([pPKU,x]_(pSKU)) and PKP([x]_(SKB)), and decrypts the informationusing the secret key of the cryptographic coprocessor to obtain thesigned user's pseudonym public key, the amount of digital cash[pPKU,x]_(pSKU), and the signed amount of withdrawn money from the useraccount [x]_(SKB). The signature verifying program verifies thesignature of the user's bank using the public key of the bank PKB. Ifthe signature is valid, the digital cash issuer signature verifyingprogram verifies the user's signature [pPKU,x]_(pSKU) using the user'spseudonym public key pPKU. If the signature is valid, the issuerverifies that the two amounts x are equal. If the amounts are not equal,the real identity of the user is revealed by sending pPKU to thecertificate authority via a communications path. If the amounts areequal, the digital cash issuer issues a digital cash token that includesthe information: (i) digital cash amount, and (ii) random number. Thedigital cash issuer generates a random number Rd and stores the Rd inthe storage device. The signature generating program signs the digitalcash amount x and random number Rd using the digital cash issuer'ssecret key SKI. The encryption program encrypts the digital cash tokenusing user's pseudonym public key pPKU. The signature generating programsigns the encrypted digital cash token pPKU([x,Rd]SKI) using the digitalcash issuer's secret key SKI. The encryption program encrypts theinformation [pPKU([x,Rd]SKI)]SKI using the public key of the bank PKB,and sends the information PKB([pPKU([x,Rd]SKI)]SKI) to the user's bankvia a communications path.

Referring to FIG. 21, the user's bank receives the informationPKB([pPKU([x,Rd]SKI)]SKI). The decryption program decrypts theinformation using the user's bank secret key SKB. The signatureverifying program verifies the digital cash issuer signature using thepublic key of the digital cash issuer PKI. If the signature is valid,the encrypted digital cash token pPKU([x,Rd]SKI) is sent to the user'shome station via a communications path.

The user's home station receives the information pPKU([x,Rd]SKI). Thedecryption program decrypts the information using the user's pseudonymsecret key pSKU. The signature verifying program verifies the validityof the digital cash issuer signature with the digital cash issuer'spublic key PKI. If the signature is valid, the digital cash token[x,Rd]SKI is stored in the storage device of the user's home station.

Referring to FIG. 22, the user's home station encryption programencrypts the value of the digital cash token x and the user's pseudonympublic key pPKU using the mobile/home shared secret key MHS, and sendsthe encrypted value MHS(pPKU,x) to the user's mobile device via acommunications path.

The user's mobile device receives the encrypted value of the digitalcash token and the user's pseudonym public key MHS(pPKU,x). Thedecryption program decrypts the information using the mobile/home sharedsecret key MHS. The mobile device determines if the user's pseudonympublic key matches the decrypted user pseudonym public key toauthenticate the user's home station. If the keys match, the user storesthe value of digital cash token in the storage of the mobile device's.According to this embodiment, the user can easily transfer the issueddigital cash token to another user who has certified pseudonym publickey.

(3) Payment Procedure

FIGS. 23-27 show the diagrammatic representation of the paymentprotocol. Referring to FIGS. 23 and 24, the user's mobile device choosesthe value of the digital cash token x and the encryption programencrypts the value and the user's pseudonym public key pPKU using themobile/home shared secret key MHS and sends the encrypted informationMHS(pPKU,x) to the user's station via a communications path.

The user's home station receives the encrypted information MHS(pPKU,x)and the decryption program decrypts the information using themobile/home shared secret key MHS and uses the decrypted to authenticatethe user's mobile device. If the decrypted user's pseudonym public keymatches the user's pseudonym public key, the user's home station findsthe digital cash token that is equivalent to the value that was sent bythe user's mobile device.

Referring to FIG. 25, the user's home station encryption programencrypts the digital cash token [x,Rd]SKI and the digital cash issuerlicense [pPKU]SKI using the public key of the shop PKS, and sends theencrypted information to the shop as request for payment. The user'shome station may send a payment request using another certifiedpseudonym public key. As a result, the user may change the pseudonym atthe payment time because the pseudonym is not associated with digitalcash token, giving the user flexibility in their payment options.

The shop decryption program decrypts the encrypted digital cash tokenand the digital cash issuer license PKS([x,Rd]SKI, [pPKU]SKI) using theshop's secret key SKS. The signature verifying program verifies thesignature of the issuer with the digital cash issuer public key PKI. Ifthe signatures are valid, the shop stores the user's digital cash issuerlicense and the digital cash token. The shop random number generatingprogram generates a random number Rs, and the time generating programgenerates the time Ts. The encryption program encrypt Rs, Ts, and theshop identification SID using the user's pseudonym public key pPKU, andsends the encrypted information pPKU(Rs,Ts,SID) to the user's homestation via a communications path.

The user's home station receives the encrypted informationpPKU(Rs,Ts,SID). The decryption program decrypts the information usingthe user's pseudonym secret key pSKU. The signature generating programsigns the random number Rs, the time Ts, and the shop identification SIDusing the user's pseudonym secret key pSKU. The encryption programencrypts the information using the public key of the shop PKS, and sendsthe encrypted information PKS([Rs,Ts,SID]pSKU) to the shop via acommunications path.

The shop receives the encrypted information PKS([Rs,Ts,SID]pSKU). Thedecryption program decrypts the information using the shop's secret keySKS. The signature verifying program verifies the signature using theuser's pseudonym public key pPKU. If the signature is valid, the shopstores the challenge and the shop regards the payment as valid.

Referring to FIG. 26, after a period of time the shop encryption programencrypts the information that includes the challenge that was signed bythe user [Rs,Ts,SID]pSKU, the digital cash token [x,Rd]SKI, and theuser's digital cash issuer license [pPKU]SKI, using the public key ofthe digital cash issuer PKI, and sends the information to the digitalcash issuer via a communications path.

The digital cash issuer decryption program decrypts PKI([Rs,Ts,SID]pSKU,[x,Rd]SKI, [pPKU]SKI) using the digital cash issuer's secret key SKI.The signature verifying program verifies the signatures using thedigital cash issuer's public key PKI and the user's pseudonym public keypPKU. If the signatures are valid, the issuer checks the random numberRd. If the random number Rd does not exist, it is determined that therehas been a double spending and the real identity is revealed by sendingthe user's pseudonym public key pPKU to the certificate authority. Ifthe random number Rd exists, the random number is deleted, and thedigital cash issuer stores the challenge [Rs,Ts,SID]pSKU in its storagedevice.

Referring to FIG. 27, the digital cash issuer signature generatingprogram signs the shop identification SID, and the amount x to bedeposited for the shop with the digital cash issuer's secret key SKI.The encryption program encrypts the information using the public key ofthe shop's bank PKB and sends PKB([SID,x]_(SKI)) to the shop's bank viaa communications path.

The shop's bank receives PKB([SID,x]_(SKI)) and the decryption programdecrypts the information using the secret key SKB. The signatureverifying program verifies the signature with the public key of theissuer PKI. If the signature is valid, the shop's bank adds the amountof money x to the shop's account.

Fourth Embodiment

In the previous embodiments described above public key encryption isused. Public key encryption adds a cost in power and time used tocomplete a transaction. Therefore, a shared secret key may be used inplace of the public key to hide the pseudonym and the amount of thedigital cash as described in the following example. In this example, thecertificate authority, bank, and user are as described above; however,in addition to the elements described above, the issuer further includesa key pointer KPr generating program.

(1) User Registration Procedure

FIGS. 28-30 show the diagrammatic representation of the registrationprotocol. Referring to FIGS. 28 and 29, the user the key generatingprogram generates a pseudonym public key and a pseudonym secret key. Thesignature generating program signs the pseudonym public key and the userreal identification using user's master secret key. The encryptionprogram encrypts [UID,pPKU]_(mSKU) using the public key of thecertificate authority and sends PKC([UID,pPKU]_(mSKU)) to thecertificate authority as a request for a certified pseudonym public key(i.e., a request for the issuance of a license).

The certificate authority receives the request (PKC([UID,pPKU]_(mSKU)))and the decryption program decrypts the request using the secret key ofthe certificate authority SKC. The signature verifying program verifiesthe validity of the user signature using the user's master public keymPKU. If the signature is valid, the certificate authority the signaturegenerating program generates a signature (i.e., a license) [pPKU]_(SKC)for the user's pseudonym public key using the certificate authority'ssecret key SKC, and stores the user's pseudonym public key in thestorage device in connection with the user's master public key mPKU andthe user's real identification UID. The certificate authority encryptionprogram encrypts the license [pPKU]_(SKC) using the user's master publickey mPKU and sends mPKU([pPKU]_(SKC)) to the user via a communicationspath.

The user receives the encrypted license mPKU([pPKU]_(SKC)) and thedecryption program decrypts the license using the user's master secretkey mSKU. The signature verifying program verifies the validity of thelicense [pPKU]_(SKC) using the public key of the certificate authorityPKC. If the signature is valid, the user key generating programestablishes a user-issuer shared secret key S and stores the license andthe user-issuer shared secret key in the user storage device.

Referring to FIG. 30, the user encryption program encrypts the license[pPKU]_(SKC), pseudonym public key pPKU, and the user-issuer sharedsecret key S using the public key of the digital cash issuer PKI. Theuser then sends PKI([pPKU]_(SKC),pPKU,S) to the digital cash issuer viaa communications path.

The digital cash issuer receives PKI([pPKU]_(SKC),pPKU,S) and thedecryption program decrypts the information using the secret key of thedigital cash issuer SKI. The digital cash issuer searches for pPKU inits storage device to prevent misuse of other users' pseudonym publickey. If the user's pseudonym public key pPKU is not already registered,the digital cash issuer signature verifying program verifies thevalidity of the license [pPKU]_(SKC) using the certificate authority'spublic key PKC. If the license valid, the digital cash issuer assigns anempty storage space to the user and generates a key pointer KPr toidentify the user-issuer shared secret key S. In addition, the cashissuer also stores the user's pseudonym public key pPKU, the user-issuershared secret key S and the key pointer KPr in the storage device. Thedigital cash issuer signature generating program signs the user'spseudonym public key pPKU and the key pointer KPr using the secret keyof the issuer SKI. The encryption program encrypts the information usingthe user-issuer shared secret key S and sends S([pPKU, KPr]_(SKI)) as anacknowledgment to the user via a communications path.

The user receives the acknowledgement S([pPKU, KPr]_(SKI)), and thedecryption program decrypts the information using the user-issuer sharedsecret key S. The signature verifying program verifies the validity ofthe digital cash issuer signature using the digital cash issuer's publickey PKI. If the signature valid, the digital cash issuer stores thelicense [pPKU]_(SKI) and the key pointer KPr in the storage device.According to this example, the user may obtain an unlimited number ofcertified pseudonym public keys.

(2) Withdrawal Procedure (Electronic Cash Issuing Procedure)

FIGS. 31-34 show the diagrammatic representation of the withdrawalprotocol. Referring to FIGS. 31 and 32, the user encryption programencrypts the user's pseudonym public key pPKU and the amount of digitalcash x using the user-issuer shared secret key S. The signaturegenerating program signs the user real identification UID, the amount ofmoney to be withdrawn x, the encrypted user's pseudonym public key, theamount of digital cash S(pPKU,x), and the key pointer KPr using theuser's master secret key mSKU. The encryption program encrypts theinformation using the public key of the user's bank PKB and sendsPKB([S(pPKU,x),UID,x,KPr]_(mSKU)) to the user's bank via acommunications path.

The user's bank decryption program decryptsPKB([S(pPKU,x),UID,x,KPr]_(mSKU)) using the user's bank's secret key.The signature verifying program verifies the validity of the signaturefor authentication with the master public key of the user mPKU. If thesignature is valid, the amount of money x is withdrawn from the useraccount, and the signature generating program signs the encrypted user'spseudonym public key, the amount of digital cash S(pPKU,x), the keypointer KPr, and the withdrawn amount of money x using the bank's secretkey SKB. The encryption program encrypts the information using thepublic key of the digital cash issuer PKI and sendsPKI([S(pPKU,x),KPr,x]_(SKB)) to the digital cash issuer via acommunications path.

Referring to FIG. 33, the digital cash issuer receivesPKI([S(pPKU,x),KPr,x]_(SKB)), and the decryption program decrypts theinformation using the digital cash issuer's secret key SKI. Thesignature verifying program verifies the signature of the bank using thepublic key of the user's bank PKB. If the signature is valid, thedigital cash issuer uses the key pointer KPr to search for theuser-issuer shared secret key S. Once found the decryption programdecrypts S(pPKU,x) using the user-issuer shared secret key S toauthenticate the user by matching the user's pseudonym public key afterthe decryption. If the decrypted key matches the user's pseudonym key,the use is authenticated. The issuer verifies that the two amounts x areequal. If the amounts are not equal, the real identity of the user isrevealed by sending pPKU to the certificate authority. If the amountsare equal, the digital cash issuer issues a digital cash token thatincludes the following information: (i) digital cash amount, and (ii)random number. The digital cash issuer generates the random number Rdand stores the number in its storage device. The signature generatingprogram signs the digital cash amount x and random number Rd using thedigital cash issuer's secret key SKI. The encryption program encryptsthe information using the user-issuer shared secret key S. The signaturegenerating program signs the encrypted information S([x,Rd]SKI) usingthe digital cash issuer's secret key SKI. The encryption programencrypts [S([x,Rd]SKI)]SKI using the public key of the user's bank PKB,and sends PKB([S([x,Rd]SKI)]SKI) to the user's bank via a communicationspath.

Referring to FIG. 34, the user's bank receives the informationPKB([S([x,Rd]SKI)]SKI), and the decryption program decrypts theinformation using the user's bank secret key SKB. The signatureverifying program verifies the digital cash issuer signature using thepublic key of the digital cash issuer PKI. If the signature is valid,the bank sends the encrypted digital cash token S([x,Rd]SKI) to the uservia a communications path.

The user receives the encrypted digital cash token S([x,Rd]SKI). Thedecryption program decrypts the digital cash token using the user-issuershared secret key S. The signature verifying program verifies thevalidity of the digital cash issuer signature with the digital cashissuer's public key PKI. If the signature is valid, the digital cashtoken S([x,Rd]SKI) is stored in the storage device of the user.According to this embodiment, the user can easily transfer the issueddigital cash token to another user who has certified pseudonym publickey.

(3) Payment Procedure

The payment procedure is the same as that described above for FIGS.9-12.

Fifth Embodiment

The previous embodiment employs a common key pointer between the digitalcash issuer and the bank to provide an means to link the user's realidentification and the user's pseudonym public key. In the followingexample, the digital cash issuer may use a cryptographic coprocessor toprovide stronger protection of the user's privacy. In thisimplementation, the user encrypts the key pointer using the public keyof cryptographic coprocessor. As a result, the bank may not obtain anydata shared between the user's real identification and the user'spseudonym public key. In addition, the cryptographic coprocessorprovides stronger encryption such that whenever the data is encrypted,the date may not be decrypted without the coprocessor.

(1) User Registration Procedure

The user registration procedure for this example is the same asdescribed above for FIGS. 2, 3, and 4.

(2) Withdrawal Procedure (Electronic Cash Issuing Procedure)

FIGS. 35-38 show the diagrammatic representation of the withdrawalprotocol. Referring to FIGS. 35 and 36, the user encryption programencrypts the user's pseudonym public key pPKU and the amount of digitalcash x using the user-issuer shared secret key S. The encryption programencrypts the encrypted user's pseudonym public key, the amount ofdigital cash S(pPKU,x), and the key pointer KPr using the public key ofa cryptographic coprocessor PKP. The signature generating program signsthe user real identification UID, the amount of money to be withdrawn x,and PKP(S(pPKU,x),KPr) using the user's master secret key mSKU. Theencryption program encrypts the information using the public key of theuser's bank PKB and sends PKB([PKP(S(pPKU,x),KPr),UID,x]_(mSKU)) to theuser's bank via a communications path.

The user's bank decryption program decryptsPKB([PKP(S(pPKU,x),KPr),UID,x]_(mSKU)) using the user's bank's secretkey. The signature verifying program verifies the validity of thesignature for authentication with the master public key of the usermPKU. If the signature is valid, the amount of money x is withdrawn fromthe user account. The signature generating program signs the amount xthat is withdrawn from the user account by using the user's bank'ssecret key SKB. The encryption program encrypts [x]_(SKB) using thepublic key of the cryptographic coprocessor PKP, and sends informationPKP(S(pPKU,x),KPr) and PKP([x]_(SKB)) to the digital cash issuer via acommunications path.

Referring to FIG. 37, the digital cash issuer receivesPKP(S(pPKU,x),KPr) and PKP([x]_(SKB)), and decrypts the informationusing the secret key of the cryptographic coprocessor to obtain theencrypted user's pseudonym public key, the amount of digital cashS(pPKU,x), the key pointer KPr, and the signed amount of withdrawn moneyfrom the user account [x]_(SKB). The signature verifying programverifies the signature of the bank using the public key of the user'sbank PKB. If the signature is valid, the digital cash issuer searchesfor the user-issuer shared secret key S using the key pointer KPr. Onces is obtained, the decryption program decrypts S(pPKU,x) using theuser-issuer shared secret key S to authenticate the user by matchingdecrypted key with the user's pseudonym public key. If the keys match,the user is authenticated, and the issuer verifies that the two amountsx are equal. If the amounts are not equal, the real identity of the useris revealed by sending pPKU to the certificate authority. If the amountsare equal, the digital cash issuer issues a digital cash token thatincludes the following information: (i) digital cash amount, and (ii)random number. The digital cash issuer generates random a number Rd andstores the random number in its storage device. The digital cash issuersignature generating program signs the digital cash amount x and therandom number Rd using the digital cash issuer's secret key SKI. Theencryption program encrypts the information using the user-issuer sharedsecret key S. The signature generating program signs the encryptedinformation S([x,Rd]SKI) using the digital cash issuer's secret key SKI.The encryption program encrypts the signed information [S([x,Rd]SKI)]SKIusing the public key of the user's bank PKB, and sends the encryptedinformation PKB([S([x,Rd]SKI)]SKI) to the user's bank via acommunications path.

Referring to FIG. 38, the user's bank receives the encrypted informationPKB([S([x,Rd]SKI)]SKI), and the decryption program decrypts theinformation using the user's bank secret key SKB. The signatureverifying program verifies the digital cash issuer signature using thepublic key of the digital cash issuer PKI. If the signature is valid,the issuer sends the encrypted digital cash token S([x,Rd]SKI) to theuser via a communications path.

The user receives the encrypted digital cash token S([x,Rd]SKI), and thedecryption program decrypts the information using the user-issuer sharedsecret key S. The signature verifying program verifies the validity ofthe digital cash issuer signature with the digital cash issuer's publickey PKI. If the signature is valid, the digital cash token [x,Rd]SKI isstored in the storage device of the user. According to this embodiment,the user can easily transfer the issued digital cash token to anotheruser who has certified pseudonym public key.

(3) Payment Procedure

The payment procedure is the same as that described above for FIGS.9-12.

Sixth Embodiment

The following example provides the enhanced privacy and encryption ofthe previous example described above, in a mobile user deviceenvironment.

(1) User Registration Procedure

The user registration procedure is the same as that described above forFIGS. 28-30.

(2) Withdrawal Procedure (i.e., Electronic Cash Issuing Procedure)

FIGS. 39-44 show the diagrammatic representation of the withdrawalprotocol. Referring to FIGS. 39 and 40, the user's mobile deviceencryption program encrypts the user's pseudonym public key pPKU and theamount of digital cash x using the mobile/home shared secret key MHS andsends the information MHS(pPKU,x) to the user station via acommunications path.

The user station receives the encrypted user's pseudonym public key andthe amount of digital cash MHS(pPKU,x), and the decryption programdecrypts the information using the mobile/home shared secret key MHS.The user station determines if the decrypted key matches the user'spseudonym public key. If the keys match, the user's mobile device isauthenticated by the user station.

Referring to FIG. 41, the user station encryption program encrypts theuser's pseudonym public key pPKU and the amount of digital cash x usingthe user-issuer shared secret key S. The encryption program encrypts theencrypted user's pseudonym public key, the amount of digital cashS(pPKU,x), and the key pointer KPr using the public key of acryptographic coprocessor PKP. The signature generating program signsthe user real identification UID, the amount of money to be withdrawn x,and PKP(S(pPKU,x),KPr) using the user's master secret key mSKU. Theencryption program encrypts the information using the public key of theuser's bank PKB and sends PKB([PKP(S(pPKU,x),KPr),UID,x]_(mSKU)) to theuser's bank via a communications path.

The user's bank decryption program decryptsPKB([PKP(S(pPKU,x),KPr),UID,x]_(mSKU)) by using the user's bank's secretkey. The signature verifying program verifies the validity of thesignature for authentication with the master public key of the usermPKU. If the signature is valid, the amount of money x is withdrawn fromthe user account, and the signature generating program signs the amountx that is withdrawn from the user account using the user's bank's secretkey SKB. The encryption program encrypts [x]SKB using the public key ofthe cryptographic coprocessor PKP, and sends informationPKP(S(pPKU,x),KPr) and PKP([x]_(SKB)) to the digital cash issuer via acommunications path.

Referring to FIG. 42, the digital cash issuer receivesPKP(S(pPKU,x),KPr) and PKP([x]_(SKB)), and decrypts the informationusing the secret key of the cryptographic coprocessor to obtain theencrypted user's pseudonym public key, the amount of digital cashS(pPKU,x), the key pointer KPr, and the signed amount of withdrawn moneyfrom the user account [x]_(SKB). The signature verifying programverifies the signature of the user's bank by using the public key of thebank PKB. If the signature is valid, the digital cash issuer searchesfor the user-issuer shared secret key S using the key pointer KPr. Oncefound, the decryption program decrypts S(pPKU,x) using the user-issuershared secret key S to authenticate the user by matching the decryptedkey with the user's pseudonym public key. If the keys match, the user isauthenticated, and the issuer verifies that the two amounts x are equal.If the amounts are not equal, the real identity of the user is revealedby sending pPKU to the certificate authority. If the amounts are equal,the digital cash issuer issues digital cash token that includes thefollowing information: (i) digital cash amount, and (ii) random number.The digital cash issuer generates a random number Rd and stores it inits storage device. The signature generating program signs the digitalcash amount x and the random number Rd using the digital cash issuer'ssecret key SKI. The encryption program encrypts the information usingthe user-issuer shared secret key S. The signature generating programsigns the encrypted information S([x,Rd]SKI) using the digital cashissuer's secret key SKI. The encryption program encrypts the signedinformation [S([x,Rd]SKI)]SKI using the public key of the user's bankPKBm, and sends the encrypted information PKB([S([x,Rd]SKI)]SKI) to theuser's bank via a communications path.

Referring to FIG. 43, the user's bank then receives the informationPKB([S([x,Rd]SKI)]SKI) and the decryption program decrypts theinformation using the user's bank secret key SKB. The signatureverifying program verifies the digital cash issuer signature using thepublic key of the digital cash issuer PKI. If the signature is valid,the issuer sends the encrypted digital cash token S([x,Rd]SKI) to theuser's home station via a communications path.

The user's home station receives the encrypted digital cash tokenS([x,Rd]SKI), and the decryption program decrypts the information usingthe user-issuer shared secret key S. The signature verifying programverifies the validity of the digital cash issuer signature using thedigital cash issuer's public key PKI. If the signature is valid, thedigital cash token [x,Rd]SKI is stored in the storage device of theuser's home station.

Referring to FIG. 44, the user's home station encryption programencrypts the value of the digital cash token x and the user's pseudonympublic key pPKU using the mobile/home shared secret key MHS, and sendsthe encrypted information MHS(pPKU,x) to the user's mobile device via acommunications path.

The user's mobile device receives the encrypted value of the digitalcash token and the user's pseudonym public key MHS(pPKU,x), and thedecryption program decrypts the information using the mobile/home sharedsecret key MHS. The mobile device determines if the user's pseudonympublic key matches the decrypted user pseudonym public key toauthenticate the user's home base station. If they match, the userstores the value of digital cash token in the mobile device's storagedevice. Using this embodiment, the user can easily transfer the issueddigital cash token to another user who has certified pseudonym publickey.

(3) Payment Procedure

The payment protocol is the same as that described above for FIGS. 23and 24-27.

Seventh Embodiment

The previous embodiments described above are implemented as off-lineprotocols. However, these protocols may be modified for on-lineoperation. One possible example follows.

(1) User Registration Procedure

The user registration protocol is the same as described above for FIGS.2, 3, and 4.

(2) Withdrawal Procedure (Electronic Cash Issuing Procedure)

The withdrawal procedure is the same as that described above for FIGS.5-8.

(3) Payment Procedure

FIGS. 45-49 show a diagrammatic representation of the payment protocol.Referring to FIG. 46, the user encryption program encrypts the digitalcash token [x,Rd]SKI and the digital cash issuer license [pPKU]SKI usingthe public key of the shop PKS, and sends the encrypted information tothe shop as request for payment.

The user can send a payment request using another certified pseudonympublic key, because the pseudonym is not associated with digital cashtoken. As a result, the pseudonym may be changed at the time of paymentthereby increasing user payment options.

The shop decryption program decrypts the encrypted digital cash tokenand the digital cash issuer license PKS([x,Rd]SKI, [pPKU]SKI) using theshop's secret key SKS. The signature verifying program verifies thesignature of the issuer with the digital cash issuer public key PKI. Ifthe signatures are valid, the shop encryption program encrypts thedigital cash token [x,Rd]SKI, the user's digital cash issuer license[pPKU]SKI, and the shop identification SID using the public key of thedigital cash issuer PKI, and sends the encrypted digital cash tokenPKI([x,Rd]SKI, [pPKU]SKI, SID) to the digital cash issuer via acommunications path.

Referring to FIG. 47, the digital cash issuer decryption programdecrypts the encrypted digital cash token PKI([x,Rd]SKI, [pPKU]SKI, SID)using the secret key of the digital cash issuer SKI. The signatureverifying program verifies the validity of the digital cash token usingthe digital cash issuer's public key PKI. If the signature is valid, thedigital cash issuer determines whether the token has already been spent.If the token has not been spent, the random number is deleted. Thedigital cash issuer signature generating program signs the shopidentification SID and the amount of digital cash x with the digitalcash issuer's secret key SKI and stores [SID,x]SKI temporarily, to sendit to the shop's bank. The encryption program encrypts the informationusing the public key of the shop PKS, and sends the encryptedinformation PKS([SID,x]SKI) to the shop via a communications path.

The shop receives PKS([SID,x]_(SKI)) and the decryption program decryptsthe information using the secret key SKS. The signature verifyingprogram verifies the signature with the public key of the issuer PKI.Referring to FIG. 48, if the signature is valid, the shop random numbergenerating program generates a random number Rs then the signaturegenerating program signs Rs with the shop's secret key SKS. Theencryption program encrypts the signed random number [Rs]_(SKS) usingthe user's pseudonym public key pPKU and sends pPKU([RS]_(SKS)) to theuser via a communications path.

The user receives pPKU([Rs]_(SKS)) and the decryption program decryptsit using the user's pseudonym secret key pSKU and stores [RS]_(SKS) inthe storage device.

Referring to FIG. 49 the digital cash issuer retrieves the signed shopidentification SID and the signed amount x to be deposited for the shop[SID,x]_(SKI), and the encryption program encrypts the information byusing the public key of the shop's bank PKB before it sendsPKB([SID,x]_(SKI)) to the shop's bank via a communications path.

The shop's bank receives PKB([SID,x]_(SKI)), and the decryption programdecrypts the information using the secret key SKB. The signatureverifying program verifies the signature with the public key of theissuer PKI. If the signature is valid, the shop's bank adds the amountof money x to the shop account.

Eighth Embodiment

This is an on-line protocol with the use of a cryptographic coprocessor.

(1) User Registration Procedure

The user registration procedure for this example is the same asdescribed above for FIGS. 2, 3, and 4.

(2) Withdrawal Procedure (Electronic Cash Issuing Procedure)

The withdrawal procedure for this example is the same as described abovefor FIGS. 13-16.

(3) Payment Procedure

The payment procedure for this example is the same as described abovefor FIGS. 45-49.

Ninth Embodiment

This is an online protocol with a mobile device.

(1) User Registration Procedure

The user registration procedure for this example is the same asdescribed above for FIGS. 2, 3, and 4.

(2) Withdrawal Procedure (Electronic Cash Issuing Procedure)

The withdrawal procedure for this example is the same as described abovefor FIGS. 17-22.

(3) Payment Procedure

FIGS. 50-55 show a diagrammatic representation of the payment protocol.Referring to FIGS. 50 and 51, the user's mobile device chooses the valueof the digital cash token x, and the encryption program encrypts thevalue and the user's pseudonym public key pPKU using the mobile/homeshared secret key MHS. The mobile device sends the encrypted informationMHS(pPKU,x) to the user's home station via a communications path.

The user's home station receives the encrypted information MHS(pPKU,x),and the decryption program decrypts the information using themobile/home shared secret key MHS. The user's home station determines ifuser's pseudonym public key matches the decrypted pseudonym public keyto authenticate the user's mobile based device. If the user's pseudonympublic key matches, the mobile device is authenticated and the user'shome station finds the digital cash token that is equivalent to thevalue that is sent by the user's mobile device.

Referring to FIG. 52, the user's home station encryption programencrypts the digital cash token [x,Rd]SKI and the digital cash issuerlicense [pPKU]SKI using the public key of the shop PKS. The user's homestation sends the encrypted information to the shop via a communicationspath as request for payment.

The user's home based station can send a payment request using anothercertified pseudonym public key, because the pseudonym is not associatedwith digital cash token. As a result, the pseudonym may be changed atthe time of payment thereby increasing user payment options.

The shop decrypts decryption program the encrypted digital cash tokenand the digital cash issuer license PKS([x,Rd]SKI, [pPKU]SKI) using theshop's secret key SKS. The signature verifying program verifies thesignature of the issuer with the digital cash issuer public key PKI. Ifthe signature is valid, the shop encryption program encrypts the digitalcash token [x,Rd]SKI, the user's digital cash issuer license [pPKU]SKI,and the shop identification SID using the public key of the digital cashissuer PKI, and sends the encrypted digital cash token PKI([x,Rd]SKI,[pPKU]SKI, SID) to the digital cash issuer via a communications path.

Referring to FIG. 53, the digital cash issuer decryption programdecrypts the encrypted digital cash token PKI([x,Rd]SKI, [pPKU]SKI, SID)using the secret key of the digital cash issuer SKI. The signatureverifying program verifies the validity of the digital cash token usingthe digital cash issuer's public key PKI. If the signature is valid, thedigital cash issuer determines whether the token has already been spent.If the token has not been spent, the random number is deleted, and thedigital cash issuer signature generating program signs the shopidentification SID and the amount of digital cash x with the digitalcash issuer's secret key SKI. The cash issuer then stores [SID,x]SKItemporarily, to send it to the shop's bank, and the encryption programencrypts the information using the public key of the shop PKS, thensends the encrypted information PKS([SID,x]SKI) to the shop via acommunications path.

The shop receives PKS([SID,x]_(SKI)), and the decryption programdecrypts the information using the secret key SKS. The signatureverifying program verifies the signature with the public key of theissuer PKI. Referring to FIG. 54, if the signature is valid, the shoprandom number generating program generates a random number Rs and thesignature generating program signs Rs with the shop's secret key SKS.The encryption program encrypts the signed random number [RS]_(SKS)using the user's pseudonym public key pPKU and sends pPKU([Rs]_(SKS)) tothe user station via a communications path.

The user station receives pPKU([RS]_(SKS)). The decryption programdecrypts the information using the user's pseudonym secret key pSKU andstores [Rs]_(SKS) in the storage device.

Referring to FIG. 55, the digital cash issuer retrieves the signed shopidentification SID and the signed amount x to be deposited for the shop[SID,x]_(SKI). The encryption program encrypts the information using thepublic key of the shop's bank PKB and sends PKB([SID,x]_(SKI)) to theshop's bank via a communications path.

The shop's bank receives PKB([SID,x]_(SKI)), and the decryption programdecrypts the information by using the secret key SKB. The signatureverifying program verifies the signature with the public key of theissuer PKI. If the signature is valid, the shop's bank adds the amountof money x to the shop account.

Tenth Embodiment

According to this embodiment an online protocol is provided withuntraceable cash tokens. Traceability may be avoided by eliminating theregistration phase. In this case, the user can spend digital cash tokenswithout any reference to the digital cash issuer; however, the protocolstill guarantees that no double spending takes place. As a result, theprotocol includes two stages.

(1) Withdrawal Procedure (Electronic Cash Issuing Procedure)

FIGS. 56-59 show a diagrammatic representation of the withdrawalprotocol. Referring to FIG. 57, the user encryption program encrypts therandom shared secret key SH and the amount of digital cash x using thedigital cash issuer's public key PKI. The signature generating programsigns the user real identification UID, the amount of money to bewithdrawn x, the encrypted random shared secret key SH, and the amountof digital cash x PKI(SH,x) using the user's master secret key mSKU. Theuser encryption program encrypts the information using the public key ofthe user's bank PKB, and sends the encrypted informationPKB([PKI(SH,x),UID,x]mSKU) to the user's bank via a communications path.

The user's bank decryption program decrypts the informationPKB([PKI(SH,x),UID,x]mSKU) using the user's bank's secret key SKB. Thesignature verifying program verifies the validity of the signature forauthentication with the master public key of the user mPKU. If thesignature is valid, the bank withdraws the amount of money x from theuser account, and the signature generating program signs the encryptedrandom shared secret key SH, the amount of digital cash x PKI(SH,x), andthe withdrawn amount of money x using the user's bank's secret key SKB.The bank encryption program encrypts the information using the publickey of the digital cash issuer PKI, and sends the encrypted informationPKI([PKI(SH,x),x]SKB) to the digital cash issuer via a communicationspath.

Referring to FIG. 58, the digital cash issuer receivesPKI([PKI(SH,x),x]SKB). The decryption program decrypts the informationusing the digital cash issuer's secret key SKI. The signature verifyingprogram verifies the signature of the bank using the public key of thebank PKB. If the signature is valid, the digital cash issuer decryptionprogram decrypts the information PKI(SH,x) using the digital cashissuer's secret key. The issuer verifies the equality of the two amountsx. If the amounts are not equal, the process aborts. If the amounts areequal, the digital cash issuer issues a digital cash token that includesthe following information: (i) digital cash amount, and (ii) randomnumber. The digital cash issuer generates a random number Rd and storesthe random number in its storage device. The signature generatingprogram signs digital cash amount x and random number Rd using thedigital cash issuer's secret key SKI. The encryption program encryptsthe information using the random shared secret key SH that was providedby the user. The signature generating program signs the encrypteddigital cash token SH([x,Rd]SKI) using the digital cash issuer's secretkey SKI. The encryption program encrypts the signed, encrypted digitalcash token [SH([x,Rd]SKI)]SKI using the public key of the user's bankPKB, and sends PKB([SH([x,Rd]SKI)]SKI) to the user's bank via acommunications path.

Referring to FIG. 59, the user's bank receives the informationPKB([SH([x,Rd]SKI)]SKI) and the decryption program decrypts theinformation using the user's bank secret key SKB. The signatureverifying program verifies the digital cash issuer signature using thepublic key of the digital cash issuer PKI. If the signature is valid,the issuer sends the encrypted digital cash token SH([x,Rd]SKI) to theuser via a communications path.

The user receives the encrypted digital cash token SH([x,Rd]SKI), andthe decryption program decrypts the encrypted digital cash token usingthe random shared key SH. The signature verifying program verifies thevalidity of the digital cash issuer signature with the digital cashissuer's public key PKI. If the signature is valid, the digital cashtoken [x,Rd]SKI is stored in the storage device of the user.

According to this embodiment, the user can easily transfer the issueddigital cash token to another user who has a certified pseudonym publickey.

(2) Payment Procedure

FIGS. 60-64 show the diagrammatic representation of the paymentprotocol. Referring to FIG. 61, the user encryption program encrypts thedigital cash token [x,Rd]SKI and a random shared secret key SH using thepublic of the shop PKS then sends it to the shop as request for payment.

The shop decryption program decrypts the encrypted digital cash tokenand the random shared secret key PKS([x,Rd]SKI,SH) using the shop'ssecret key SKS. The signature verifying program verifies the signatureof the issuer with the digital cash issuer public key PKI. If thesignature is valid, the shop stores the random shared secret keytemporally in its storage device, and the encryption program encryptsthe digital cash token [x,Rd]SKI and the shop identification SID usingthe public key of the digital cash issuer PKI. The encrypted digitalcash token PKI([x,Rd]SKI,SID) is then sent to the digital cash issuervia a communications path.

Referring to FIG. 62, the digital cash issuer decryption programdecrypts the information PKI([x,Rd]SKI, SID) using the secret key of thedigital cash issuer SKI. The signature verifying program verifies thevalidity of the digital cash token using the digital cash issuer'spublic key PKI. If the token is valid, the digital cash issuerdetermines whether the token has already been spent. If the token hasnot been spent, the random number is deleted, and the digital cashissuer signature generating program signs the shop identification SIDand the amount of digital cash x with the digital cash issuer's secretkey SKI. The digital cash issuer stores signed shop identification andamount [SID,x]SKI temporarily, to send it to the shop's bank, and theencryption program encrypts the information using the public key of theshop PKS. The encrypted information PKS([SID,x]SKI) is then sent to theshop via a communications path.

Referring to FIG. 63, the shop receives the encrypted informationPKS([SID,x]SKI), and the decryption program decrypts the informationusing the secret key SKS. The signature verifying program verifies thesignature with the public key of the issuer PKI. If the signature isvalid, the shop random number generating program generates a randomnumber Rs, and the signature generating program signs Rs with the shop'ssecret key SKS. The encryption program encrypts the signed random number[Rs]SKS using the user's random shared secret key SH, and sendsSH([Rs]SKS) to the user via a communications path.

The user receives the encrypted information SH([Rs]SKS), and thedecryption program decrypts the information using the random sharedsecret key SH. The user stores the signed random number [Rs]SKS in itsstorage device.

Referring to FIG. 64, the digital cash issuer retrieves the signed shopidentification SID and the signed amount x to be deposited for the shop[SID,x]SKI. The encryption program encrypts the information using thepublic key of the shop's bank PKB, and sends the encrypted informationPKB([SID,x]SKI) to the shop's bank via a communications path.

The shop's bank receives the encrypted information PKB([SID,x]SKI), andthe decryption program decrypts the information using the secret keySKB. The signature verifying program verifies the signature with thepublic key of the issuer PKI. If the signature is valid, the shop's bankadds x amount of money to the shop account.

As mentioned, most of the conventional virtual account based digitalcash protocols use blind signature to protect the privacy of the userwhich is not efficient and is vulnerable to fraud. In addition, someoffline protocols do not use blind signature but still have deficiencyin privacy protection and deficiency in authentications. The protocolprovided herein may be implemented in a virtual account based digitalcash system that provides: (i) strong protection of user's privacy (ii)authenticated protocol, (iii) traceability, and (iv) achieving all ofthese without using blind signature schemes.

The protocols described above provide strong protection of privacy forthe user by separating information about the user's bank accounts(identified with the real identity of the user) from the informationabout digital cash tokens of the same user under a pseudonym by usingtwo pair of keys where one pair is linked to the real identity of theuser, while the other pair is linked to the pseudonym identity of theuser. The use of the two pair of keys allows the users to use one pairof keys for authenticating the user with an entity that holdsinformation that is linked to the user's real identity, and forencrypting information sent to the user by such entities. At the sametime, the user can use another pair of keys to authenticate the userwith an entity that holds information that is linked to the user'spseudonym identity such as an issuer of digital cash tokens, and forencrypting information sent to the user by such entities.

Because there is no link between the master public key of the user withthe pseudonym public key of the same user, there is no link between thereal identity of the user and the user's pseudonym. The only exceptionto this is a certificate authority which certifies the pseudonym publickey of a user given a user's master public key and id. There is noshared information about the user between the user's bank and the issuerof digital cash virtual accounts. This separation makes it verydifficult to link the real identity of the user with the user'spseudonym pubic key. Any leak of the private key of the bank or theissuer of digital cash virtual accounts is useless to break the privacyof the user. Since the user's master public key is not linked to digitalcash tokes and is not used for payments, the user's privacy ismaintained. Therefore, strong protection is provided to maintain theuser privacy without involving any blind signature scheme.

In the protocols described above, the user has two pair of keys whereinone pair represents master keys while the other pair representspseudonym keys and wherein each public key is certified by a certifyingauthority using a separate certificate. Digital signatures with masterkeys are used for authentication with the certificate authority and thebank, wherein digital signatures with pseudonym keys are used forauthentication with the issuer of digital cash virtual accounts and theshop. Since all transactions are authenticated using digital signatures,this prevents anyone from pretending to be someone else by providinginformation related to the real user.

A number of exemplary implementations have been described. Nevertheless,it will be understood that various modifications may be made. Forexample, suitable results may be achieved if the steps of describedtechniques are performed in a different order and/or if components in adescribed system, architecture, device, or circuit are combined in adifferent manner and/or replaced or supplemented by other components.Accordingly, other implementations are within the scope of the followingclaims.

1. A digital cash implementing method providing digital cash tokens foran electronic cash system containing a certificate authority, a bank,and an issuer of digital cash tokens, said method comprising the stepsof: a. said certificate authority providing at least two pairs ofcertified keys to a user including a master pair having a private and apublic key and at least a pseudonym pair having a private and publickey; b. said user storing said private master and pseudonym private keysas a secret, said user encrypting a value X using a pseudonym public keyof said user, said user signs using said user master private key thefollowing: a user identification, and said encrypted value X; and showssaid signed user identification, said encrypted value X to said bank andrequests said bank to issue digital cash tokens of a particular facevalue; c. said bank decrementing said face value from a bank account ofsaid user associated with a real identity of said user, signingencrypted value X using said bank private key, and sending signedencrypted value X to issuer of digital cash tokens and requests theissue of digital cash token with said face value; d. generating a randomnumber by issuer of digital cash tokens upon receipt of said bankrequest, combining said random number with said encrypted value X toobtain combined value Y, signing said combined value Y using private keyof digital cash token of said face value, and sending signed saidcombined value Y and said random number to said bank using a securechannel; e. said bank encrypting said combined value Y and said randomnumber using said user's master public key, and sending said encryptedcombined value Y and said random number to said user; f. said userdecrypting said encrypted combined value Y and said random number usingprivate master key of said user, and uses said pseudonym private key ofsaid user on said combined value Y to obtain combined said value X andsaid random number signed with private key of digital cash token of saidface value, and uses said value X, said random number and said combinedof said value X and said random number signed with private key ofdigital cash token of said face value as a digital cash token; and, g.said user verifying said signature on digital cash token using publickey of digital cash token of said faced value, said value X and saidrandom number, and spend said digital cash token in any shop using anypseudonym pair of keys.
 2. The method of claim 1, further comprising thesteps of checking by said user before sending said digital cash token tosaid shop that verification of validity of said digital cash token doesnot require any information in any form about the identity of user ofdigital cash and that digital cash tokens do not contain any informationin any form about one of a group consisting of a master key, anypseudonym public key of a user of digital cash certified by acertificate authority, by a trustee, plurality of trustees, anycertificate of said master key or a pseudonym public key of said user ofdigital cash generated by a certificate authority or by a trustee. 3.The method of claim 2, further comprising the steps of said user usingany pseudonym public key certified by a trustee to spend said digitalcash token and wherein said user checks before spending thatverification of the validity of said digital cash token does not requireany information in any form about the identity of user of digital cashand that digital cash tokens do not contain any information in any formabout, a master key or any pseudonym public key of a user of digitalcash certified by a certificate authority or by a trustee, or anycertificate and license of said master, a pseudonym public key of saiduser of digital cash generated by a certificate authority or by atrustee.
 4. The method of claim 1, further comprising the steps of a.obtaining separate certificates for any pair of keys that are signed bysaid certificate authority; b. verifying by bank that said user accounthas sufficient funds; and c. sending said pseudonym public key and itscertificate to an issuer of digital cash tokens for registration of auser.
 5. The method of claim 1, further comprising the steps of saiduser transferring a digital cash token to another user that has acertified pseudonym public key, wherein said second user can spend saiddigital cash tokens without having to use any of the first user's pairof keys pseudonym, and wherein said second user spends said digital cashtokens by sending to a shop said digital cash tokens and saidcorresponding token random numbers, and wherein second user checksbefore spending that verification of the validity of said digital cashtoken does not require any information in any form about the identity ofuser of digital cash and that digital cash tokens do not contain anyinformation in any form about a master key, any pseudonym public key ofa user of digital cash certified by a certificate authority or by atrustee, any certificate of said master key, a pseudonym public key ofsaid user of digital cash generated by a certificate authority, and by atrustee.
 6. The method of claim 1, further comprising the step ofproviding no link between said master public key of said user and any ofsaid pseudonym public keys of user to determine the real identity of auser associated with a pseudonym.
 7. The method of claim 1, furthercomprising the step of verifying the identity of said pseudonym publickey by said certificate authority when there is fraud of said digitalcash and said digital cash tokens.
 8. The method of claim 1, furthercomprising the steps of sending by said shop a challenge to said user;signing, by said user, said challenge using said pseudonym private key;sending by said user said signed challenged to said shop; sending, bysaid shop, said challenge to said issuer of digital cash tokens forverification using said challenge by said issuer of digital cash tokensto verify that said digital cash tokens have not been spent beforesettling payment with said shop.
 9. The method of claim 8, furthercomprising the step of verifying by issuer of digital cash tokens if adigital cash token with said random number has been used before or notprior to authorizing a payment.